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Tracking web users 15 all the rage 


Show ads! 

Inject QUANTUM malware 
Cybercatch cybercriminals 
Gather website analytics 
Detect fraud / droidnets 
Enforce paywalls 

etc. 


A long time ago in a galaxy far, far away ... 


Obi-Wan tracked Luke using: b" 
e cookies E 
e passive fingerprinting*x E | 
(IP address, locales, 
user-agent, OS, etc.) 
e sweet Jedi mind tricks 


* In this presentation, fingerprinting == 
any non-cookie web tracking method. 


THE ADBLOCKERS* STRIKE BACK 


x In this 
presentation, 
adblocker == any 
tool that blocks 
web tracking 
(including non- 
advertising) 


THE PHANTOM ADBLOCKER BLOCKERS 
um ue 


Washington Post disables reading of articles 
for people with ad blocker software. 
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A ЁРЕ МЕЕ ЕЕ: 


REVENGE OF THE ADBLOCKER BLOCKER BLOCKERS!!! 
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OVERVIEW REVIEWS RELATED 


al Compatible with your device 


Locker. 52 Upload My Files Go Pro Login : Sign Up 


man.up.101.hdtv-lol.avi This extension hides your AdBlocker 


from Anti-AdBlock scripts on websites 
Download Нели калаларын а. such as putlocker.com, 
watchfreeinhd.com and more. 


This is an anti-anti-adblock extension, which 
removes time penalties and 


= - " popups/warnings about your activated 
Locker... Upload My Files Со Pro 8 Б AdBlocker. 
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Premium e Report Abuse 
Version: 1.2 
Updated: October 8, 2015 
Size: 52.07KB 
Language: English 


A New Hope: Browser Fingerprinting 


e Evade blocking algorithms that blacklist 
domains based on cookie frequency (ex: 
Privacy Badger). 

e Track users who disable 3rd party cookies 
(ex: Safari). 

Harder to delete than cookies. 
e Can reveal new information about a user. 


new web features == 
new fingerprinting techniques 
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e active fingerprinting 
(HTML5 canvas, clock 
skew, installed fonts 
& plugins, WebRTC...) = #2 

e supercookies (Flash 
cookies, caches, 
HSTS, etags...) 


Fingerprinting attacks in the wild 
D Mike O'Neill „2. Follow 


WebRTC being used now by embedded 3rd 
party on nytimes.com to report visitors’ local 
IP addresses. 
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Analytics: Cookie Leakage wns 


Use cookies to identify Tor users when they are 
not using Tor 

• Current: preliminary analysis shows that some cookies 
"survive" Tor use. Depends on how target is using Tor 
(Torbutton/Tor Browser Bundle clears out cookies). 

* Goal: test with cookies associated with CT targets 
— Idea: what if we seeded cookies to a target? 
— InvestigateEvercookiepersistence 


#realtalk 


How would you track a 
paranoid user who clears 
cookies & uses an adblocker? 


Could fingerprint them, but 
adblockers & browsers will 
get better at blocking you... 


... unless blocking causes too 
much collateral damage. 


Collateral: 


Privacy-conscious users usually 
care about security. 


Can we fingerprint them using 
security features that are too 
important for them to turn off? 


Trick #1: Abuse НПР Public Key Pinning 


HPKP (RFC 7469) 


Server: One of these hashes must be 


in the TLS cert chain you receive 
from me. 


Browser: DOPE!!! NEXT TIME I SEE YOU 
I WILL CHECK IT BEFORE I WRECK IT 


Public-Key-Pins: 
How long to 


max-age-3000; 4" cache this shitfor ЅНА-256 of a pub. key 
in the cert chain. 


pin-sha256=" Browser checks & 
d6qzRu9zOECb90Uez27xWLtNsjOe1Md шы Us 
7GKYYKVOZWmM="" ; SHA-256 of a backup 


pub. key (required). Must 


pin-sha256=" рта NOT be in the cert chain. 


E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+ Browser caches this. 
xcprMF*44U1g-"; POST endpoint to report 

с validation failures 
report-uri- “http://example. (optional). 


com/report"; 
Whether to pin for the host's 


4A——- subdomains as well (optional). 


includeSubdomains; 


Supercookie #1: fake backup pins 


1. https://example.com sets a unique backup 
pin for each user + includeSubdomains + 
report-uri. 

2. «img src=“https://bad.example.com’> serves a 
chain that deliberately fails pin 
validation. 

3. A validation failure report is sent which 
includes a unique cached backup pin! 


Trick #2: Abuse HTTP Strict Transport 
Security + Content Security Policy 


HSTS (RFC 6797) 


Server: Hey, I just met you, and 
this 1s crazy, but please only call 


me over HTTPS for the next 604800 
seconds. 


Browser: OK 


How long to 


Strict-Transport-Security: remember to only 

е connect to this host 
max-age-3000; via HTTPS 
includeSubdomains; 


Whether subdomains 
should also only be 


connected to over 
HTTPS (optional). 


Supercookie #2: HSTS cache state 


1. sneaky.com wants to fingerprint users. 
2. example.com is known to support HSTS. 


3. sneaky.com/index.html embeds <img src= 


‘http: //example.com’>. 


What happens then? 


Case 1: Browser has never visited example.com 


-> makes a network round-trip, gets 301/302 to 
https://example.com 


Case 2: Browser visited example.com before. 


-> HSTS causes an “internal” redirect (307) to 
https://example.com/ ~immediately 


If we can measure the НПР to 
HTTPS redirect latency, we can 
distinguish Case 1 from Case 2! 


0: How do we measure that? 
A: Abuse one more browser 
security feature. 


Content Security Policy (W3C spec) 


Server: For your safety, please 
only allow resources of type «X^ 


from origins <A> & <B> while on 
this page. 


Browser: I СОТ U FAM 


Allow images to load 
from HTTPS origins 


Content-Security- ub 


img-src: https://*; 


script-src: ‘self’ *. | 

scripts.com cdn. M ит E Allow scripts to load 
from the page's origin, 
* Scripts.com, and cdn. 
example.com only. 


The Missing Ingredient: 
Set CSP to ‘img-sre http://* 


HTTPS image requests are blocked and 
fire an error event to JS listeners. 


Why 15 this useful? 


1. JS only lets us listen for img onerror and 
onload events. Turns out CSP violation 
triggers onerror consistently and early in 
the fetch pipeline. 

2. If browser ever completes a request for 
https://example.com, it will get the HSTS 
pin and future results are polluted. CSP 
prevents this from happening! 


After setting CSP: 


Case 1: Browser has never visited example.com 


-> makes network request, gets 301/302 to 
https://example.com, img onerror fires. 


Case 2: Browser visited example.com before. 


-> HSTS rewrites src to https://example.com/ 


~immediately, img onerror fires. 


How long does the HTTP to HTTPS redirect take? 


Case 1: Browser has never visited example.com 


-> Order of 100ms depending on network latency 
and site response time. 


Case 2: Browser visited example.com before. 


-> Order of ims, independent of the site and 
network conditions. 


Putting it all together 


Remember the CSS visited-selector bug? 


CSS History Sniffing 


B Determine user's 
el dec Le me browsing habits with CSS 


Coates. 2011 -» E Visited link different than 
{ non-visited link 


и CSS and element 


Unvisited Link 


inspection determines 
visited pages "rgb(0, 0, 128)") 
1 
el Issued fixed March 2010 | MES has not been visite 


// link.href has been visite 
) 
) 


if (getComputedStyle(link, "" 


http://dbaron.org/mozilla/visited-privacy 


That was 5000000 2010 


New plan: 


1. Scrape Alexa Top 1M for hosts that send HSTS 
and aren’t preloaded. 

2. Load all the HSTS hosts asynchronously on 
one page. 

3. Measure the onerror timing & separate hosts 
into visited and unvisited. 


Turns out... 


Redirect timing is hard to 
measure accurately for 300+ 
async image Loads at once. 


Improved by calibrating 
timing drift using a request 
to a preloaded HSTS host 
every other request. 


Chrome still had many false 
positives; confirmed timings 
for positive results using 
synchronous Loads. 
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demo: 
http://zyan.scripts.mit.edu/sniffly 
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scraper + tracker code: 
https://github.com/diracdeltas/sniffly 


Your mileage may vary 


e Results depend on latest 
HSTS preload list. 

e HTTPS Everywhere & other 
extensions cause false 
positives. 

e Doesn’t work as-is in Tor 
Browser thanks to 100 ms 
timing buckets. 


Your mileage may vary 


• Only leaks origin, not full path . . . or does it? 


Actually, looks feasible to adapt this attack to leak 
the 301 redirect cache instead of the HSTS cache. :) 


TO BE CONTINUED... 


The End 


Call me maybe: 


yan@mit.edu / @bcrypt 


Special thanks to Scott 
Helme, Jan Schaumann, 
Chris Palmer, and Chris 
Rohlf for feedback and 
demo testing. 
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